Acronym Monday: WAF

What does WAF mean in plain English?

Today’s Acronym Monday is brought to you by the acronym WAF and also National Cyber Security Awareness Month. That means you’ll be treated to cybersecurity acronyms every Monday for the whole month of October.

You’re probably familiar with the term firewall—most recognized as the security measure you can enable on your computer to help stop viruses, hackers, and other unwanted guests from using the internet to get into your computer.

WAF stands for “web application firewall.” It’s different from the kind of firewall you’re probably used to. There are firewalls available for pretty much any technology that connects to the internet. Your personal computer, all kinds of servers, and even your wireless routers can all have firewalls.


Where does the term firewall come from?

You have likely heard of the term firewall in the construction sense. Many apartment buildings have walls between individual units made of brick, which are called firewalls. The purpose of these architectural firewalls are to keep fires contained so that they don’t spread to the entire building before they can be put out. This is how the computer term “firewall” got its name.


What is a web application?

A web application is a lot like a website. In fact, each is often mistaken for the other. A web application is a program whose user interface runs in a web browser, meaning you can access it from Chrome, Safari, Firefox, or Internet Explorer for example, and you don’t need software installed on your computer to use it. A pretty widely-used example of a web application is the Google Apps Suite. Applications like Google Drive, Docs, Sheets, and Slides are all web applications because you can access them from your browser.


How is a WAF different from any other firewall?

A web application firewall blocks unauthorized traffic specifically for a particular application, where a firewall for your whole computer blocks all unauthorized traffic to the entire system. A WAF works independently to your computer’s firewall and can be focused specifically on individual web applications. Think of it as a small scale firewall.

To explain this difference, let’s return to the construction idea of a firewall. Imagine you live in an apartment. Much to your dismay, a fire has broken out in your neighbor’s unit. Luckily, your apartment building features a firewall surrounding each unit. This represents the firewall on your computer. Just like the apartment is protected from outside fires, the computer is protected from outside viruses or other intrusions.

But to explain the web application firewall, now imagine you’ve got your original birth certificate. You protect it by keeping it in a fireproof lockbox. The birth certificate is like a web application, and the lockbox is like the firewall that protects it. Just as you can use the lockbox to protect individual documents, you can use a WAF to protect individual web applications. This is completely independent of your computer or its firewall. In other words, with a WAF, even if your computer doesn’t have a firewall, your connection to the web application is still secure.


What do WAFs Protect Against?

Web application firewalls protect against certain attacks that use vulnerabilities in a software’s code. Cross-site scripting attacks are one such example, attacks that could allow attackers to gather a lot of information about site visitors, or they can be used almost as precursors to additional attacks to gather even more information about site visitors.


Are WAFs Important?

A properly deployed WAF can be a great first line of defense against many security threats. The problem often is WAFs are deployed improperly or are not adequately maintained simply to fulfill legal security requirements. Companies and organizations only want to be able to say, “Yes, we have a WAF."

By no means is a WAF the only line of defense necessary for web applications, but it is a necessary step towards a robust cybersecurity program for any organization. Look for cybersecurity specialists that actually care about your security and will make it a priority. It’s not worth the risk to skimp on your security program.